pangolin_mirror/pangolin
1
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-03-23 02:56:37 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change SSH WIP

Browse Source
This commit is contained in:
Owen
2026-03-21 10:40:12 -07:00
parent 21b91374a3
commit d85496453f
1 changed files with 70 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
server/private/routers/ssh/signSshKey.ts
View File

@@ -21,7 +21,7 @@ import {
roles, roles,
roundTripMessageTracker, roundTripMessageTracker,
siteResources, siteResources,
sites, siteNetworks,
userOrgs userOrgs
} from "@server/db"; } from "@server/db";
import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed"; import { isLicensedOrSubscribed } from "#private/lib/isLicencedOrSubscribed";
@@ -62,11 +62,11 @@ const bodySchema = z
export type SignSshKeyResponse = { export type SignSshKeyResponse = {
certificate: string; certificate: string;
messageId: number; messageIds: number[];
sshUsername: string; sshUsername: string;
sshHost: string; sshHost: string;
resourceId: number; resourceId: number;
siteId: number; siteIds: number[];
keyId: string; keyId: string;
validPrincipals: string[]; validPrincipals: string[];
validAfter: string; validAfter: string;
@@ -250,10 +250,7 @@ export async function signSshKey(
.update(userOrgs) .update(userOrgs)
.set({ pamUsername: usernameToUse }) .set({ pamUsername: usernameToUse })
.where( .where(
and( and(eq(userOrgs.orgId, orgId), eq(userOrgs.userId, userId))
eq(userOrgs.orgId, orgId),
eq(userOrgs.userId, userId)
)
); );
} else { } else {
usernameToUse = userOrg.pamUsername; usernameToUse = userOrg.pamUsername;
@@ -374,21 +371,12 @@ export async function signSshKey(
const homedir = roleRow?.sshCreateHomeDir ?? null; const homedir = roleRow?.sshCreateHomeDir ?? null;
const sudoMode = roleRow?.sshSudoMode ?? "none"; const sudoMode = roleRow?.sshSudoMode ?? "none";
// get the site const sites = await db
const [newt] = await db .select({ siteId: siteNetworks.siteId })
.select() .from(siteNetworks)
.from(newts) .where(eq(siteNetworks.networkId, resource.networkId!));
.where(eq(newts.siteId, resource.siteId))
.limit(1);
if (!newt) { const siteIds = sites.map((site) => site.siteId);
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Site associated with resource not found"
)
);
}
// Sign the public key // Sign the public key
const now = BigInt(Math.floor(Date.now() / 1000)); const now = BigInt(Math.floor(Date.now() / 1000));
@@ -402,43 +390,64 @@ export async function signSshKey(
validBefore: now + validFor validBefore: now + validFor
}); });
const [message] = await db const messageIds: number[] = [];
.insert(roundTripMessageTracker) for (const siteId of siteIds) {
.values({ // get the site
wsClientId: newt.newtId, const [newt] = await db
messageType: `newt/pam/connection`, .select()
sentAt: Math.floor(Date.now() / 1000) .from(newts)
}) .where(eq(newts.siteId, siteId))
.returning(); .limit(1);
if (!message) { if (!newt) {
return next( return next(
createHttpError( createHttpError(
HttpCode.INTERNAL_SERVER_ERROR, HttpCode.INTERNAL_SERVER_ERROR,
"Failed to create message tracker entry" "Site associated with resource not found"
) )
); );
}
await sendToClient(newt.newtId, {
type: `newt/pam/connection`,
data: {
messageId: message.messageId,
orgId: orgId,
agentPort: resource.authDaemonPort ?? 22123,
externalAuthDaemon: resource.authDaemonMode === "remote",
agentHost: resource.destination,
caCert: caKeys.publicKeyOpenSSH,
username: usernameToUse,
niceId: resource.niceId,
metadata: {
sudoMode: sudoMode,
sudoCommands: parsedSudoCommands,
homedir: homedir,
groups: parsedGroups
}
} }
});
const [message] = await db
.insert(roundTripMessageTracker)
.values({
wsClientId: newt.newtId,
messageType: `newt/pam/connection`,
sentAt: Math.floor(Date.now() / 1000)
})
.returning();
if (!message) {
return next(
createHttpError(
HttpCode.INTERNAL_SERVER_ERROR,
"Failed to create message tracker entry"
)
);
}
messageIds.push(message.messageId);
await sendToClient(newt.newtId, {
type: `newt/pam/connection`,
data: {
messageId: message.messageId,
orgId: orgId,
agentPort: resource.authDaemonPort ?? 22123,
externalAuthDaemon: resource.authDaemonMode === "remote",
agentHost: resource.destination,
caCert: caKeys.publicKeyOpenSSH,
username: usernameToUse,
niceId: resource.niceId,
metadata: {
sudoMode: sudoMode,
sudoCommands: parsedSudoCommands,
homedir: homedir,
groups: parsedGroups
}
}
});
}
const expiresIn = Number(validFor); // seconds const expiresIn = Number(validFor); // seconds
@@ -459,18 +468,20 @@ export async function signSshKey(
metadata: JSON.stringify({ metadata: JSON.stringify({
resourceId: resource.siteResourceId, resourceId: resource.siteResourceId,
resource: resource.name, resource: resource.name,
siteId: resource.siteId, siteIds: siteIds
}) })
}); });
// TODO: WE NEED TO MAKE SURE THE MESSAGEIDS ARE BACKWARD COMPATABILE AND THE SITEIDS TOO AND UPDATE THE CLI TO HANDLE THE MESSAGE IDS
return response<SignSshKeyResponse>(res, { return response<SignSshKeyResponse>(res, {
data: { data: {
certificate: cert.certificate, certificate: cert.certificate,
messageId: message.messageId, messageIds: messageIds,
sshUsername: usernameToUse, sshUsername: usernameToUse,
sshHost: sshHost, sshHost: sshHost,
resourceId: resource.siteResourceId, resourceId: resource.siteResourceId,
siteId: resource.siteId, siteIds: siteIds,
keyId: cert.keyId, keyId: cert.keyId,
validPrincipals: cert.validPrincipals, validPrincipals: cert.validPrincipals,
validAfter: cert.validAfter.toISOString(), validAfter: cert.validAfter.toISOString(),